version 1.57, 2018/10/14 19:34:34 |
version 1.58, 2018/10/14 22:50:28 |
|
|
process to the specified files and directories. It is most |
process to the specified files and directories. It is most |
powerful when properly combined with privilege separation |
powerful when properly combined with privilege separation |
and <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>. |
and <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>. |
|
<li>Implemented MAP_STACK option for |
|
<a href="https://man.openbsd.org/mmap.2">mmap(2)</a>. |
|
At pagefaults and syscalls the kernel will check that the |
|
stack pointer points to MAP_STACK memory, which mitigates |
|
against attacks using stack pivots. |
<li>New RETGUARD security mechanism on amd64 and arm64: |
<li>New RETGUARD security mechanism on amd64 and arm64: |
use per-function random cookies to protect access to function |
use per-function random cookies to protect access to function |
return instructions, making them harder to use in ROP gadgets. |
return instructions, making them harder to use in ROP gadgets. |
|
<li><a href="https://man.openbsd.org/clang-local.1">clang(1)</a> |
|
includes a pass which identifies common instructions which |
|
may be useful in ROP gadgets and replaces them with safe |
|
alternatives on amd64 and i386. |
|
<li>The Retpoline mitigation against Spectre Variant 2 has been |
|
enabled in <a href="https://man.openbsd.org/clang.1">clang(1)</a> |
|
and in assembly files on amd64. |
<li>Simultaneous multithreading (SMT) is now disabled by default |
<li>Simultaneous multithreading (SMT) is now disabled by default |
and can be enabled with the new <code>hw.smt</code> |
and can be enabled with the new <code>hw.smt</code> |
<a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a> variable. |
<a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a> variable. |